Valentine's day FakeAV woes (Feb 11, 2011)

SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Valentine’s day related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to following malicious links strategically placed in search engine results. We observed similar campaigns in the past for “Wikileaks” and “Holiday Shopping” related keywords. It is evident from the new instances of polluted results that malware authors have updated their landing page and associated FakeAV executables . The search term “Valentines Day Gifts” leads users to the polluted search result shown below:

If the user clicks on the malicious link in the search results then it performs the following on the victim’s machine:

• The initial link redirects users to a FakeAV landing page.

  

• If the user downloads and runs the FakeAV executable then it performs the following on the victim’s machine:
  • Drops the following files:
  • %USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400.exe (Copy of Itself) [Detected as FakeAlert.MHF (Trojan)]
  • %USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400
  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: “fPgHcEm13400:%USERPROFILE%Application DatafPgHcEm13400fPgHcEm13400.exe”
  • It changes the wallpaper with the following text:
    • WARNING!
      YOU’RE IN DANGER!
      YOUR COMPUTER IS INFECTED WITH SPYWARE!

      ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK.
      WHEN YOU VISIT SITES,SEND EMAIL… ALL YOUR ACTIONS ARE
      LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES

      FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
      Every site you or somebody or even something , like spyware, opened in your browsers,
      with all the images, and all the downloaded and maybe later removed movies or mp3 songs –
      ARE STILL THERE and could break your life !

      SECURE YOURSEFL RIGHT NOW! REMOVE ALL SPYWARE FROM YOUR PC!

  • It launches fake scans and when the user attempts to clean the machine a screen is displayed asking for credit card and personal information:
    

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: FakeAlert.MHF (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.